As the workweek wound down last Friday, the digital world was hijacked for ransom.
The attack was unleashed across the globe through a potent new ransomware called WannaCry, which infects Windows systems when users either click an email link or download malicious files. Once installed, WannaCry effectively locks the infected computer until a bitcoin payment is made. If the ransom is not paid, data on infected machines is permanently deleted.
In roughly 24 hours, the malware wreaked havoc on countless organizations across more than 150 countries, including FedEx Corporation, Telefonica, and Renault. England’s public health care system, NHS, was ravaged by the attack, causing hospitals to shut down their IT systems, unplug computers, and cancel all non-essential medical procedures on Friday afternoon.
By Saturday, the attack had been largely contained, thanks in part to a UK-based researcher who stumbled upon a “kill switch” embedded in the malware’s code. However, the aftershocks will likely continue to reverberate for weeks to come as corporations and governments scramble to assess cyber security soft spots and ready themselves for a potential second wave of WannaCry or copycat strikes.
Many organizations could have greatly limited their exposure by simply installing recommended updates to their Windows platforms. Microsoft released a security patch in March, after becoming aware of the vulnerability, to which it claims to have alerted users. Computers running the updated software were not affected by the WannaCry attack. However, risks posed by ransomware, and malware in general, are far broader than a single piece of software, with 2016 seeing an exponential increase in attacks on data in industries ranging from law to financial services.
The healthcare sector has proven disproportionately vulnerable, with 88% of the 2016 attacks occurring at hospitals, according to Becker’s Hospital Review[i]. Of the forty-two ransomware related Inside Scoops published since the start of last year, thirty-six came from healthcare or health services organizations. The majority of the resultant spending was reactive, as organizations scrambled to fortify security infrastructure following a wave of ransomware strikes in early 2016.
At Bon Secours Health System, IT leaders took a detour from an ongoing three year network security project specifically to address the rising threat of ransomware. Other providers, such as United Hospital System, responded with increased investment in data backup systems to mollify the impact of potential malware intrusions. OSF Healthcare sought to minimize risk by initiating a security training initiative for employees.
Health Systems and hospitals are a prime target for digital extortion due to the confidential nature of the data they store coupled with the life or death functions for which they rely on technology. In the United States, the sprint to fully implement Electronic Medical Records (EMR) systems and Electronic Data Exchanges in time to meet Meaningful Use program deadlines forced many providers to digitize reams of data at breakneck speed with little time to develop an adequate security infrastructure to protect it. With the wellbeing and privacy of patients at stake, many health systems saw little choice but to pay the ransoms in wake of the 2016 attacks.
The global panic spurred by last week’s crisis will likely inspire many organizations to channel additional resources towards the implementation and support of information security systems and applications. Security vendors and consultants fluent in the healthcare space, in particular may prove to be the high-tech heroes of 2017, if they are able to quickly and precisely align their services with the needs of underprepared clients.